Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
8k stars 1.74k forks source link

Request new rule of spike on values #681

Open jeffpeiyt opened 8 years ago

jeffpeiyt commented 8 years ago

Hi,

This is awesome! We would like to ask for a feature request of a new rule with spike on values / pct gap compared with history[avg, std dev, in duration].

Alert send when the value is more than k% or value diff from the history. K could be relavent to the history's avg and std dev.

thanks,

bean5 commented 8 years ago

Spike already uses a double-window which is probably a sort of moving average (stock brokers use these to detect upturns/downturns, I think). Are you sure it isn't sufficent for what you need, @jeffpeiyt?

jeffpeiyt commented 8 years ago

Thanks for your kind guidance. The spike described here only measured the frequency of the events happening. However, we would like to work on the values of the events to get its moving avg.

http://stats.stackexchange.com/questions/41145/simple-way-to-algorithmically-identify-a-spike-in-recorded-errors


Spike Detection in a Time-Series

The simplest thing you should start by doing is to compute a moving average of your input values. If your series is x1,x2,...x1,x2,..., then you would compute a moving average after each observation as:

Mk=(1−α)Mk−1+αxkMk=(1−α)Mk−1+αxk
where the αα would determine how much weight give the latest value of xkxk.

If your new value has moved too far away from the moving average, for example

xk−MkMk>20%xk−MkMk>20%
then you raise a warning.
pataquets commented 6 years ago

Same here. We're collecting both statsd and collectd metrics on ES and would love the spike type rule to compare on avg/sum/etc of some field values for both time windows. Not sure if can be done or, how complex would be to code a new Rule module for it. Advice on any/both subjects is welcome.

pataquets commented 6 years ago

Found #1288, which might be useful.

Ivogeel123 commented 6 years ago

Is there any progress on this? 😄 I've read the #1288 but don't see any solution in it for me

Thanks in advance

maniankara commented 5 years ago

Same situation here. Any alternatives/work around for this?